# Lecture 20

## Chapter 5: Authentication

### Construction of CRHF (Collision Resistant Hash Function)

Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.

Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:

$Gen(1^n):(g,p,y)$

$p\in \tilde{\Pi}_n(p=2q+1)$

$g$ generator for group of sequence $\mod p$ (G_q)

$y$ is a random element in $G_q$

$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$

$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.

Under the discrete log assumption, $H$ is a CRHF.

- It is easy to sample $(g,p,y)$
- It is easy to compute
- Compressing by 1 bit

Proof:

The hash function $h$ is a CRHF

Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$.

$$
P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}
$$

Where $y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p$ is the collision of $H$.

Suppose $b_1=b_2$.

Then $y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p$ implies $g^{x_1}\equiv g^{x_2}\mod p$.

So $x_1=x_2$ and $(x_1,b_1)=(x_2,b_2)$.

So $b_1\neq b_2$, Without loss of generality, say $b_1=1$ and $b_2=0$.

$y\cdot g^{x_1}\equiv g^{x_2}\mod p$ implies $y\equiv g^{x_2-x_1}\mod p$.

We can create a adversary $\mathcal{B}$ that can break the discrete log assumption with non-negligible probability $\mu(n)$ using $\mathcal{A}$.

Let $g,p$ be chosen and set random $x$ such that $y=g^x\mod p$.

Let the algorithm $\mathcal{B}$ defined as follows:

```pseudocode
function B(p,g,y):
    (x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
    If (x_1,1) and (x_2,0) and there is a collision:
        y=g^{x_2-x_1}\mod p
        return x_2-x_1 for b=1
    Else:
        return "Failed"
```

$$
P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}
$$

So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$, which contradicts the discrete log assumption.

So $h$ is a CRHF.

QED

To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$, then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times.

$$
h_k(x)=h(h(\cdots(h(x)))\cdots)=h^{k}(x)
$$

To find a collision of $h_k$, the adversary must find a collision of $h$.

### Application of CRHF to Digital Signature

Digital signature scheme on $\{0,1\}^*$ for a fixed security parameter $n$. (one-time secure)

- Use Digital Signature Scheme on $\{0,1\}^{n}$: $Gen, Sign, Ver$.
- Use CRHF family $\{h_i:\{0,1\}^*\to \{0,1\}^n\}_{i\in I}$

$Gen'(1^n):(pk,sk)\gets Gen(1^n)$, choose $i\in I$ uniformly at random.

$sk'=(sk,i)$

$Sign'_{sk'}(m):\sigma\gets Sign_{sk}(h_i(m))$, return $(i,\sigma)$

$pk'=(pk,i)$

$Ver'_{pk'}(m,(i,\sigma)):Ver_{pk}(m,\sigma)$ and $i\in I$

One-time secure:

- Given that ($Gen,Sign,Ver$) is one-time secure
- $h$ is a CRHF

Then ($Gen',Sign',Ver'$) is one-time secure.

Ideas of Proof:

If the digital signature scheme ($Gen',Sign',Ver'$) is not one-time secure, then there exists an adversary $\mathcal{A}$ which can ask oracle for one signature on $m_1$ and receive $\sigma_1=Sign'_{sk'}(m_1)=Sign_{sk}(h_i(m_1))$.

- It outputs $m_2\neq m_1$ and receives $\sigma_2=Sign'_{sk'}(m_2)=Sign_{sk}(h_i(m_2))$.
- If $Ver'_{pk'}(m_2,\sigma_2)$ is accepted, then $Ver_{pk}(h_i(m_2),\sigma_2)$ is accepted and $i\in I$.

There are two cases to consider:

Case 1: $h_i(m_1)=h_i(m_2)$, Then $\mathcal{A}$ finds a collision of $h$.

Case 2: $h_i(m_1)\neq h_i(m_2)$, Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$. This contradicts the one-time secure of ($Gen,Sign,Ver$).

QED

### Many-time Secure Digital Signature

Using one-time secure digital signature scheme on $\{0,1\}^*$ to construct many-time secure digital signature scheme on $\{0,1\}^*$.

Let $Gen,Sign,Ver$ defined as follows:

$Gen(1^n):(pk,sk)\gets (pk_0,sk_0)

For the first message:

$(pk_1,sk_1)\gets Gen'(1^n)$

$Sign_{sk}(m_1):\sigma_1\gets Sign_{sk_0}(m_1||pk_1)$, return $\sigma_1'=(1,m_1,pk_1,\sigma_1)$

We need to remember state $\sigma_1'$ and $sk_1$ for the second message.

For the second message:

$(pk_2,sk_2)\gets Gen'(1^n)$

$Sign_{sk}(m_2):\sigma_2\gets Sign_{sk_1}(m_2||pk_0)$, return $\sigma_2'=(0,m_2,pk_0,\sigma_1')$

We need to remember state $\sigma_2'$ and $sk_2$ for the third message.

...

For the $i$-th message:

$(pk_i,sk_i)\gets Gen'(1^n)$

$Sign_{sk}(m_i):\sigma_i\gets Sign_{sk_{i-1}}(m_i||pk_{i-1})$, return $\sigma_i'=(i-1,m_i,pk_{i-1},\sigma_{i-1}')$

We need to remember state $\sigma_i'$ and $sk_i$ for the $(i+1)$-th message.

$Ver_{pk}:(m_i,(i,m_i,p_k,\sigma_i,\sigma_{i-1}))$ Will need to verify all the states public keys so far.

$$
Ver_{pk_0}(m_1||pk_1, \sigma_1) = \text{ Accept}\\
Ver_{pk_1}(m_2||pk_2, \sigma_2) = \text{ Accept}\\
\vdots\\
Ver_{pk_i}(m_i||pk_i, \sigma_i) = \text{ Accept}
$$

Proof on homework.

Drawbacks:

- Signature size and verification time grows linearly with the number of messages.
- Memory for signing grows linearly with the number of messages.

These can be fixed.

Question: Note that the signature signing message longer than the public key, which is impossible in Lamport Scheme.